Skip to content

Git version used in summerwind/actions-runner-dind image is outdated and vulnerable #4244

New issue
New issue
Open
Open
Git version used in summerwind/actions-runner-dind image is outdated and vulnerable#4244
Labels
bugSomething isn't workingcommunityCommunity contributionneeds triageRequires review from the maintainers
@sudarshang-nice

Description

@sudarshang-nice
sudarshang-nice
opened on Sep 10, 2025

Checks

Controller Version

v0.27.0

Helm Chart Version

0.22.0

CertManager Version

No response

Deployment Method

ArgoCD

cert-manager installation

No we are not using cert-manager installation

Checks

  • This isn't a question or user support case (For Q&A and community support, go to Discussions. It might also be a good idea to contract with any of contributors and maintainers if your business is so critical and therefore you need priority support
  • I've read releasenotes before submitting this issue and I'm sure it's not due to any recently-introduced backward-incompatible changes
  • My actions-runner-controller version (v0.x.y) does support the feature
  • I've already upgraded ARC (including the CRDs, see charts/actions-runner-controller/docs/UPGRADING.md for details) to the latest and it didn't fix the issue
  • I've migrated to the workflow job webhook event (if you using webhook driven scaling)

Resource Definitions

apiVersion: actions.summerwind.dev/v1alpha1
kind: RunnerDeployment
metadata:
  name: example
spec:
  replicas: 1
  template:
    metadata:
      annotations:
  spec:
      dockerdContainerResources: {}
      dockerdWithinRunnerContainer: true
      githubAPICredentialsFrom:
  
---
apiVersion: actions.summerwind.dev/v1alpha1
kind: HorizontalRunnerAutoscaler
metadata:
  name:
spec:
  maxReplicas: 2
  metrics:
    - scaleDownAdjustment: 1
      scaleDownThreshold: '0.3'
      scaleUpAdjustment: 1
      scaleUpThreshold: '0.75'
      type: PercentageRunnersBusy
  minReplicas: 1

To Reproduce

Option 1 – Using kubectl exec
Deploy the runner-controller with image summerwind/actions-runner-dind:v2.328.0-ubuntu-20.04.
Identify the runner pod:
kubectl get pods -n <namespace>
Access the pod:
kubectl exec -it <runner-pod-name> -n <namespace> -- /bin/bash
Run:
git --version
Expected output:
git version 2.38.0

Option 2 – Add a Step in Workflow
Add the following step to your GitHub Actions workflow:
- name: Check Git version
  run: git --version

Run the workflow and check the logs for:
git version 2.38.0

Describe the bug

The GitHub Actions Runner Controller uses a base image that includes an outdated version of Git.

Currently, I am using runner version v2.328.0-ubuntu-20.04, which includes Git 2.38.0. This version is affected by a known security vulnerability.

Security Advisory Reference

Git Security Advisory – GHSA-vwqx-4fm8-6qc9

Impact

Using an outdated Git version may expose the environment to known security vulnerabilities.

Recommended action: Upgrade Git to the latest version (e.g., 2.51.0 or newer) or at least a patched version.

Describe the expected behavior

The runner-controller image should include a secure and up-to-date version of Git (e.g., version 2.51.0 or newer) that is not affected by known security vulnerabilities.

When running git --version inside the runner pod, it should return a safe, patched version such as:

git version 2.51.0

Whole Controller Logs

not necessary

Whole Runner Pod Logs

√ Connected to GitHub

Current runner version: '2.328.0'
2025-09-10 06:04:29Z: Listening for Jobs

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingcommunityCommunity contributionneeds triageRequires review from the maintainers

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions